feat: Folder authorization backend

apps/application/serializers/application.py

@@ -347,14 +347,15 @@ def get_query_set(self, instance: Dict, workspace_manage: bool, is_x_pack_ee: bo
         application_custom_sql_query_set = application_query_set
         application_query_set = application_query_set.order_by("-create_time")
 
-        return {'folder_query_set': folder_query_set,
-                'application_query_set': application_query_set,
-                'workspace_user_resource_permission_query_set': QuerySet(WorkspaceUserResourcePermission).filter(
+        resource_and_folder_query_set = QuerySet(WorkspaceUserResourcePermission).filter(
                     auth_target_type="APPLICATION",
                     workspace_id=workspace_id,
-                    user_id=user_id)} if (
+                    user_id=user_id)
+
+        return {'application_query_set': application_query_set,
+                'workspace_user_resource_permission_query_set': resource_and_folder_query_set,
+                } if (
             not workspace_manage) else {
-            'folder_query_set': folder_query_set,
             'application_query_set': application_query_set,
             'application_custom_sql': application_custom_sql_query_set
         }

apps/application/sql/list_application.sql

@@ -15,8 +15,5 @@ from (select application."id"::text, application."name",
       from application
                left join "user" on user_id = "user".id
           ${application_custom_sql}
-      UNION
-      select application_folder."id", application_folder."name", application_folder."desc", true as "is_publish", 'folder' as "type", 'folder' as "resource_type", application_folder."workspace_id", application_folder."parent_id" as "folder_id", application_folder."user_id", "user"."nick_name" as "nick_name", application_folder."create_time", application_folder."update_time", null as "publish_time", null as "icon"
-      from application_folder left join "user"
-      on user_id = "user".id ${folder_query_set}) temp
+      ) temp
     ${application_query_set}

apps/application/sql/list_application_user.sql

@@ -16,21 +16,5 @@ from (select application."id"::text, application."name",
                left join "user" on user_id = "user".id
       where application."id" in (select target
                                  from workspace_user_resource_permission ${workspace_user_resource_permission_query_set}
-        and 'VIEW' = any (permission_list))
-UNION
-select application_folder."id",
-       application_folder."name",
-       application_folder."desc",
-       true                           as "is_publish",
-       'folder'                       as "type",
-       'folder'                       as "resource_type",
-       application_folder."workspace_id",
-       application_folder."parent_id" as "folder_id",
-       application_folder."user_id",
-       "user"."nick_name"             as "nick_name",
-       application_folder."create_time",
-       application_folder."update_time",
-       null                           as "publish_time",
-       null                           as "icon"
-from application_folder
-         left join "user" on user_id = "user".id ${folder_query_set}) temp ${application_query_set}
+        and 'VIEW' = any (permission_list))) temp
+${application_query_set}

apps/application/sql/list_application_user_ee.sql

@@ -14,7 +14,7 @@ from (select application."id"::text, application."name",
              application.icon
       from application
                left join "user" on user_id = "user".id
-      where "application".id in (select target
+      where "application".id::text in (select target
                                  from workspace_user_resource_permission ${workspace_user_resource_permission_query_set}
         and case
                 when auth_type = 'ROLE' then
@@ -33,22 +33,5 @@ from (select application."id"::text, application."name",
 
                 else
                     'VIEW' = any (permission_list)
-          end)
-UNION
-select application_folder."id",
-       application_folder."name",
-       application_folder."desc",
-       true                           as "is_publish",
-       'folder'                       as "type",
-       'folder'                       as "resource_type",
-       application_folder."workspace_id",
-       application_folder."parent_id" as "folder_id",
-       application_folder."user_id",
-       "user"."nick_name"             as "nick_name",
-       application_folder."create_time",
-       application_folder."update_time",
-       null                           as "publish_time",
-       null                           as "icon"
-
-from application_folder
-         left join "user" on user_id = "user".id ${folder_query_set}) temp ${application_query_set}
+          end)) temp
+${application_query_set}

apps/common/constants/permission_constants.py

@@ -88,6 +88,10 @@ class Group(Enum):
     OVERVIEW = "OVERVIEW"
     OPERATION_LOG = "OPERATION_LOG"
 
+    APPLICATION_FOLDER = "APPLICATION_FOLDER"
+    KNOWLEDGE_FOLDER = "KNOWLEDGE_FOLDER"
+    TOOL_FOLDER = "TOOL_FOLDER"
+
 
 class SystemGroup(Enum):
     """
@@ -203,8 +207,11 @@ def __eq__(self, other):
 
 class Resource(models.TextChoices):
     KNOWLEDGE = Group.KNOWLEDGE.value
+    KNOWLEDGE_FOLDER = Group.KNOWLEDGE_FOLDER.value
     APPLICATION = Group.APPLICATION.value
+    APPLICATION_FOLDER = Group.APPLICATION_FOLDER.value
     TOOL = Group.TOOL.value
+    TOOL_FOLDER = Group.TOOL_FOLDER.value
     MODEL = Group.MODEL.value
 
     def __eq__(self, other):
@@ -222,10 +229,16 @@ def __eq__(self, other):
 
 class ResourcePermissionConst:
     KNOWLEDGE_MANGE = ResourcePermissionGroup(Resource.KNOWLEDGE, ResourcePermission.MANAGE)
+    KNOWLEDGE_FOLDER_MANGE = ResourcePermissionGroup(Resource.KNOWLEDGE_FOLDER, ResourcePermission.MANAGE)
+    KNOWLEDGE_FOLDER_VIEW = ResourcePermissionGroup(Resource.KNOWLEDGE_FOLDER, ResourcePermission.VIEW)
     KNOWLEDGE_VIEW = ResourcePermissionGroup(Resource.KNOWLEDGE, ResourcePermission.VIEW)
     APPLICATION_MANGE = ResourcePermissionGroup(Resource.APPLICATION, ResourcePermission.MANAGE)
+    APPLICATION_FOLDER_MANGE = ResourcePermissionGroup(Resource.APPLICATION_FOLDER, ResourcePermission.MANAGE)
+    APPLICATION_FOLDER_VIEW = ResourcePermissionGroup(Resource.APPLICATION_FOLDER, ResourcePermission.VIEW)
     APPLICATION_VIEW = ResourcePermissionGroup(Resource.APPLICATION, ResourcePermission.VIEW)
     TOOL_MANGE = ResourcePermissionGroup(Resource.TOOL, ResourcePermission.MANAGE)
+    TOOL_FOLDER_MANGE = ResourcePermissionGroup(Resource.TOOL_FOLDER, ResourcePermission.MANAGE)
+    TOOL_FOLDER_VIEW = ResourcePermissionGroup(Resource.TOOL_FOLDER, ResourcePermission.VIEW)
     TOOL_VIEW = ResourcePermissionGroup(Resource.TOOL, ResourcePermission.VIEW)
     MODEL_MANGE = ResourcePermissionGroup(Resource.MODEL, ResourcePermission.MANAGE)
     MODEL_VIEW = ResourcePermissionGroup(Resource.MODEL, ResourcePermission.VIEW)
@@ -437,6 +450,30 @@ class PermissionConstants(Enum):
     TOOL = Permission(
         group=Group.TOOL, operate=Operate.SELF, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
     )
+    APPLICATION_FOLDER_READ = Permission(
+        group=Group.APPLICATION_FOLDER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.APPLICATION_VIEW]
+    )
+    APPLICATION_FOLDER_EDIT = Permission(
+        group=Group.APPLICATION_FOLDER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE]
+    )
+    KNOWLEDGE_FOLDER_READ = Permission(
+        group=Group.KNOWLEDGE_FOLDER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW]
+    )
+    KNOWLEDGE_FOLDER_EDIT = Permission(
+        group=Group.KNOWLEDGE_FOLDER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE]
+    )
+    TOOL_FOLDER_READ = Permission(
+        group=Group.TOOL_FOLDER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.TOOL_VIEW]
+    )
+    TOOL_FOLDER_EDIT = Permission(
+        group=Group.TOOL_FOLDER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
+    )
 
     USER_READ = Permission(
         group=Group.USER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],

apps/folders/serializers/folder.py

@@ -2,7 +2,7 @@
 
 import uuid_utils.compat as uuid
 from django.db import transaction
-from django.db.models import QuerySet, Q
+from django.db.models import QuerySet, Q, Func, F
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
@@ -269,7 +269,8 @@ def _check_tree_integrity(queryset):
                 return True  # 需要重建
         return False
 
-    def get_folder_tree(self, name=None):
+    def get_folder_tree(self,
+                        current_user, name=None):
         self.is_valid(raise_exception=True)
         Folder = get_folder_type(self.data.get('source'))  # noqa
 
@@ -280,15 +281,21 @@ def get_folder_tree(self, name=None):
         if self._check_tree_integrity(workspace_folders):
             Folder.objects.rebuild()
 
+        workspace_manage = is_workspace_manage(current_user.id, self.data.get('workspace_id'))
+
+        base_q = Q(workspace_id=self.data.get('workspace_id'))
+
         if name is not None:
-            nodes = Folder.objects.filter(
-                Q(workspace_id=self.data.get('workspace_id')) &
-                Q(name__contains=name)
-            ).get_cached_trees()
-        else:
-            nodes = Folder.objects.filter(
-                Q(workspace_id=self.data.get('workspace_id'))
-            ).get_cached_trees()
+            base_q &= Q(name__contains=name)
+        if not workspace_manage:
+            base_q &= Q(id__in=WorkspaceUserResourcePermission.objects.filter(user_id=current_user.id,
+                                                                          auth_target_type=self.data.get('source'),
+                                                                          workspace_id=self.data.get('workspace_id'),
+                                                                          permission_list__contains=['VIEW'])
+                .values_list(
+                    'target', flat=True))
+
+        nodes = Folder.objects.filter(base_q).get_cached_trees()
 
         TreeSerializer = get_folder_tree_serializer(self.data.get('source'))  # noqa
         serializer = TreeSerializer(nodes, many=True)

apps/folders/views/folder.py

@@ -6,7 +6,8 @@
 
 from common.auth import TokenAuth
 from common.auth.authentication import has_permissions
-from common.constants.permission_constants import Permission, Group, Operate, RoleConstants
+from common.constants.permission_constants import Permission, Group, Operate, RoleConstants, ViewPermission, \
+    PermissionConstants, CompareConstants
 from common.log.log import log
 from common.result import result
 from folders.api.folder import FolderCreateAPI, FolderEditAPI, FolderReadAPI, FolderTreeReadAPI, FolderDeleteAPI
@@ -37,9 +38,17 @@ class FolderView(APIView):
         tags=[_('Folder')]  # type: ignore
     )
     @has_permissions(
-        lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.CREATE,
-                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"),
-        RoleConstants.WORKSPACE_MANAGE.get_workspace_role(), RoleConstants.USER.get_workspace_role()
+        lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), operate=Operate.EDIT,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{r.data.get('parent_id')}"),
+        lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.EDIT,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"
+                                     ),
+        lambda r, kwargs: ViewPermission([RoleConstants.USER.get_workspace_role()],
+                                         [Permission(group=Group(f"{kwargs.get('source')}_FOLDER"),
+                                                     operate=Operate.SELF,
+                                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{r.data.get('parent_id')}"
+                                                     )], CompareConstants.AND),
+        RoleConstants.WORKSPACE_MANAGE.get_workspace_role()
     )
     @log(
         menu='folder', operate='Create folder',
@@ -63,7 +72,8 @@ def post(self, request: Request, workspace_id: str, source: str):
         tags=[_('Folder')]  # type: ignore
     )
     @has_permissions(
-        lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_WORKSPACE_USER_RESOURCE_PERMISSION"), operate= Operate.READ,
+        lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_WORKSPACE_USER_RESOURCE_PERMISSION"),
+                                     operate=Operate.READ,
                                      resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"),
         lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.READ,
                                      resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"),
@@ -73,7 +83,7 @@ def post(self, request: Request, workspace_id: str, source: str):
     def get(self, request: Request, workspace_id: str, source: str):
         return result.success(FolderTreeSerializer(
             data={'workspace_id': workspace_id, 'source': source}
-        ).get_folder_tree(request.query_params.get('name')))
+        ).get_folder_tree(request.user, request.query_params.get('name')))
 
     class Operate(APIView):
         authentication_classes = [TokenAuth]
@@ -90,8 +100,17 @@ class Operate(APIView):
         )
         @has_permissions(
             lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.EDIT,
-                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"),
-            RoleConstants.WORKSPACE_MANAGE.get_workspace_role(), RoleConstants.USER.get_workspace_role()
+                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"
+                                         ),
+            lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), operate=Operate.EDIT,
+                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}"
+                                         ),
+            lambda r, kwargs: ViewPermission([RoleConstants.USER.get_workspace_role()],
+                                             [Permission(group=Group(f"{kwargs.get('source')}_FOLDER"),
+                                                         operate=Operate.SELF,
+                                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}"
+                                                         )], CompareConstants.AND),
+            RoleConstants.WORKSPACE_MANAGE.get_workspace_role()
         )
         @log(
             menu='folder', operate='Edit folder',
@@ -132,9 +151,18 @@ def get(self, request: Request, workspace_id: str, source: str, folder_id: str):
             tags=[_('Folder')]  # type: ignore
         )
         @has_permissions(
-            lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.DELETE,
-                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"),
-            RoleConstants.WORKSPACE_MANAGE.get_workspace_role(), RoleConstants.USER.get_workspace_role()
+            lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.EDIT,
+                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"
+                                         ),
+            lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), operate=Operate.EDIT,
+                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}"
+                                         ),
+            lambda r, kwargs: ViewPermission([RoleConstants.USER.get_workspace_role()],
+                                             [Permission(group=Group(f"{kwargs.get('source')}_FOLDER"),
+                                                         operate=Operate.SELF,
+                                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}"
+                                                         )], CompareConstants.AND),
+            RoleConstants.WORKSPACE_MANAGE.get_workspace_role()
         )
         @log(
             menu='folder', operate='Delete folder',

apps/knowledge/serializers/knowledge.py

@@ -161,7 +161,7 @@ def get_query_set(self, workspace_manage, is_x_pack_ee):
             query_set_dict['knowledge_custom_sql'] = QuerySet(model=get_dynamics_model({
                 'knowledge.workspace_id': models.CharField(),
             })).filter(**{'knowledge.workspace_id': workspace_id})
-            query_set_dict['folder_query_set'] = folder_query_set
+            # query_set_dict['folder_query_set'] = folder_query_set
             if not workspace_manage:
                 query_set_dict['workspace_user_resource_permission_query_set'] = QuerySet(
                     WorkspaceUserResourcePermission).filter(
@@ -321,7 +321,6 @@ def one(self):
                 'knowledge_custom_sql': QuerySet(
                     model=get_dynamics_model({'knowledge.id': models.CharField()})
                 ).filter(**{'knowledge.id': self.data.get("knowledge_id")}),
-                'folder_query_set': QuerySet(KnowledgeFolder)
             }
             if not workspace_manage:
                 query_set_dict['workspace_user_resource_permission_query_set'] = QuerySet(

apps/knowledge/sql/list_knowledge.sql

@@ -28,26 +28,5 @@ FROM (SELECT "temp_knowledge".id::text, "temp_knowledge".name,
                           GROUP BY knowledge_id) app_knowledge_temp
                          ON temp_knowledge."id" = "app_knowledge_temp".knowledge_id
                left join "user" on "user".id = temp_knowledge.user_id
-      UNION
-      SELECT knowledge_folder."id",
-             knowledge_folder."name",
-             knowledge_folder."desc",
-             0                            as "type",
-             'folder'                     as "resource_type",
-             knowledge_folder."workspace_id",
-             knowledge_folder."parent_id" as "folder_id",
-             knowledge_folder."user_id",
-             "user"."nick_name"           as "nick_name",
-             knowledge_folder."create_time",
-             knowledge_folder."update_time",
-             0                            as file_size_limit,
-             0                            as file_count_limit,
-             'WORKSPACE'                  as "scope",
-             ''                           as "embedding_model_id",
-             0 as char_length,
-             '{}'::jsonb as meta,
-                0 as application_mapping_count,
-                0 as document_count
-      from knowledge_folder left join "user"
-      on "user".id = user_id ${folder_query_set}) temp
+      ) temp
     ${default_sql}

apps/knowledge/sql/list_knowledge_application.sql

@@ -3,10 +3,11 @@ SELECT
 FROM
 	application
 WHERE
-	user_id = %s UNION
+	user_id = %s
+UNION
 SELECT
 	*
 FROM
 	application
 WHERE
-	"id" in (select target from workspace_user_resource_permission where auth_target_type = 'APPLICATION' and 'VIEW' = any (permission_list))
+	"id"::text in (select target from workspace_user_resource_permission where auth_target_type = 'APPLICATION' and 'VIEW' = any (permission_list))